Time synchronization in an all virtual environment guide

by

I have been asked a lot about how to configure time in your domain when all the Domain Controllers (DCs) are virtual and running on Microsoft Hyper-V. People will say just stick to a physical DC. However, sometimes this is not an option. In this article, I am going to walk you through the best way to set up time synchronization.

Why is time synchronization important?

When the OS boots up, it looks for a source to find the current time. This is fine when you have a physical box, as it will use the system clock. Virtual machines do not have a system clock. Instead, they will ask the Hyper-V for the current time. When a VM has fully booted up, it will then use the domain hierarchy (if set up) to synchronize its clock at regular intervals.

Let us imagine that all our DCs are down, or having issues and not responding in a timely manner. This is when time can start to shift. This will cause the virtual DCs to synchronize with the time on the Hyper-V host causing the time to be inaccurate. This will start a knock-on effect resulting in all machines in the domain to have the wrong time. This will then cause issues with Kerberos, logins, some websites and more.

How to set up time synchronization correctly

First, we need to check that all virtual DCs are allowed to use the time synchronization Hyper-V integration component during startup and only during startup. This can be done via Hyper-V settings on each host.

We then need to add a registry entry on all DCs to make sure they will not use the Hyper-V integration services for time synchronization once booted. In an elevated PowerShell window, type:

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider -Name Enabled -Value 0 –Force

Now that has been set up, we need to make sure that the DC that holds the PDC Emulator FSMO role is synchronizing with an external time source. To find out what DC is the PDC in an elevated PowerShell window, type:

Get-ADDomain | Select-Object DistinguishedName, PDCEmulator

Now we know what the PDC server is, we can set up time synchronization to use an external time source. Log on to your DC hosting the PDC, open an elevated PowerShell window and type:

w32tm /config /manualpeerlist:"uk.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

w32tm /config /update

Stop-Service w32time

sleep(5)

Start-Service w32time

w32tm /resync /rediscover

w32tm /query /source

You should change the above code to a time server in your region. Go here: http://www.pool.ntp.org/en/ to find one.

Now we can configure all the other DCs to use the PDC as their time source. This can be done via an elevated PowerShell window on each DC by using the following:

w32tm /config /syncfromflags:domhier /reliable:no

w32tm /config /update

Stop-Service w32time

sleep(5)

Start-Service w32time

w32tm /resync /rediscover

w32tm /query /source

And that's it. The best way to configure time synchronization in an all-virtual environment.

If you have any questions or thoughts, drop a message below.

Get 30 days trial of Veeam Backup & Replication now

About the author
VeeamVeeam Logo
Richard Hooper has been interested in computers since he was very young. His passion for technology continued to grow until he managed to turn it into a career. He has worked in IT for more than 10 years at a variety of companies, including Hewlett Packard Enterprise (HPE). He is currently at the UK's largest Business Energy Consultancy, which is based in Newcastle Upon Tyne. He works with Microsoft technologies: Azure Hyper-V, Failover Cluster Manager, SQL, SCCM, VMM, DPM and many more. Richard holds many Microsoft certifications including MCSE: Cloud Platform and Infrastructure. Follow him on his blog and on Twitter